HashiCorp Boundary is now available as a managed service on the HashiCorp Cloud Platform in free public beta to standardize secure remote access to critical infrastructure regardless of where it resides.

Automate Your Remote Access Workflows

HCP Boundary fully automates workflows for both user and target onboarding, which drastically minimizes the configuration overhead for operators and, unlike traditional access solutions, enables them to keep users and targets up-to-date in cloud environments.

First, HCP Boundary integrates with trusted identity platforms, such as Azure Active Directory, Okta, Ping, and many others that support OpenID Connect, to onboard trusted identities and delegate authentication. Next, operators can configure fine-grained authorization to critical systems and infrastructure based on identity (individual users can also do this for themselves). HCP Boundary then streamlines connection to hosts and targets by automating service discovery and access configuration as workloads are deployed or changed (dynamic host catalogs are currently available with AWS and Microsoft Azure).

This is critical in ephemeral, cloud-based environments so that operators don’t need to continually reconfigure access lists. Finally, HCP Boundary integrates with HashiCorp Vault, our secrets management solution, to broker credentials for critical infrastructure that are valid only for that session. This means no credentials are shared, so they won’t be accidentally lost or leaked.

With HCP Boundary, there are no SSH keys or VPN credentials to manage, no manual onboarding of target hosts and services, and no hard-coded or shared credentials for critical infrastructure. The result is a vastly simplified onboarding experience that reduces the risk of a credential compromise.

No More Exposing Networks

Across clouds, local datacenters, and low-trust networks, HCP Boundary provides an easy solution to protect and safeguard access to applications and critical systems by leveraging trusted identities without exposing the underlying network. HCP Boundary is an identity-aware proxy that sits between users and the infrastructure they want to connect to. The proxy has two components:

1. A control plane that manages state around users under management, targets, and access policies, and a group of external providers HCP Boundary can go to for service discovery.
2. Worker nodes, assigned by the control plane once a user authenticates into HCP Boundary and selects a target to connect to. They are stateless proxies that need to have end-network access to targets under management.

HCP Boundary presents the session to the user as a TCP tunnel and it’s wrapped in mutual TLS, which mitigates the risk of a man-in-the-middle attack. Ultimately, if a user is connecting to a target over SSH through an HCP Boundary tunnel, there are two layers of encryption: the SSH session that user creates, and underlying TLS that HCP Boundary creates.

HCP Boundary access model

HCP Boundary is fully managed by HashiCorp, but users can choose to self-manage Boundary workers (i.e. Boundary’s gateway nodes).

HCP Boundary with self-managed workers.

Self-managing your workers allows your Boundary users to securely connect to private endpoints (e.g. targets and Vault) without exposing your networks to the public or even to HashiCorp-managed resources.

Try HCP Boundary Beta Free Today

Try HCP Boundary today and get started connecting securely to your first target infrastructure in less than 15 minutes. To get started, sign up for HCP Boundary for free and check out the HCP Boundary tutorial on HashiCorp Learn.

We want to hear from you. Once you’re up and running, please feel free to send us feedback.